LEGAL

Data Processing Addendum

Contractual terms governing Orbex Data's processing of personal data on behalf of customers using our logistics management platform and related services.

Effective date:
January 1, 2026
Posted:
January 1, 2026
Read time:
22 min

Scope & Parties

This Data Processing Addendum ("DPA") forms part of the agreement between Orbex Data, Inc. ("Processor," "Orbex Data," "we," "us," or "our") and the entity subscribing to or using the Services ("Controller," "Customer," or "you"). This DPA applies when Orbex Data processes Personal Data on behalf of Customer in connection with the Orbex Data logistics management platform, APIs, integrations, and related support services (collectively, the "Services").

This DPA supplements the Terms of Service and Privacy Policy. In case of conflict regarding the processing of Personal Data, this DPA controls. Capitalized terms not defined here have the meanings given in the Terms of Service.

  • Customer acts as the controller (or business) of Personal Data it uploads or causes to be processed through the Services.
  • Orbex Data acts as a processor (or service provider) with respect to such Personal Data, except where Orbex Data acts as an independent controller as described in the Privacy Policy.
  • This DPA is designed to address requirements under the GDPR, UK GDPR, and comparable global data protection laws.
  • Execution occurs automatically upon Customer's acceptance of the Terms or signature of an applicable order form referencing this DPA.

Definitions

For purposes of this DPA, the following definitions apply in addition to those in applicable Data Protection Laws.

  • "Data Protection Laws" means all applicable laws relating to privacy and data protection, including the EU GDPR, UK GDPR, and U.S. state comprehensive privacy laws, in each case as amended or superseded.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Orbex Data on behalf of Customer through the Services.
  • "Processing," "Data Subject," "Supervisory Authority," and "Personal Data Breach" have the meanings given in the GDPR unless otherwise stated.
  • "Sub-processor" means any third party engaged by Orbex Data to process Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for international transfers, as applicable.
  • "Customer Data" includes Personal Data submitted to the Services by or for Customer, including shipment party contacts, driver information, and user account data within Customer's tenant.

References to legal terms in this DPA are descriptive of contractual obligations between the parties and do not constitute legal advice. Customers should consult counsel regarding their regulatory obligations in the logistics and trade context.

Processing Instructions

Orbex Data will process Personal Data only on documented instructions from Customer, including the configuration of the Services, integrations enabled by Customer, and documented support requests, unless required by applicable law. In such case, Orbex Data will inform Customer of the legal requirement before processing unless prohibited by law.

Customer instructs Orbex Data to process Personal Data to provide the Services described in the Terms of Service and order form, including hosting, backup, display to authorized users, transmission to integrations selected by Customer, generation of shipment documents, analytics within the tenant, and technical support.

  • Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired.
  • Customer must not instruct Orbex Data to process special categories of data except where permitted by Data Protection Laws and necessary for legitimate logistics operations.
  • Customer must ensure its privacy notices and consents cover processing by Orbex Data and listed Sub-processors.
  • Orbex Data may reject instructions that violate Data Protection Laws or create unreasonable security risk.

If Orbex Data believes an instruction infringes Data Protection Laws, it will promptly notify Customer and may suspend processing related to the infringing instruction until remedied.

Data Categories & Subjects

The nature of processing depends on Customer's use of the logistics platform. The table below summarizes typical categories of Personal Data and data subjects processed through the Services. Customer remains responsible for determining which categories apply to its deployment.

Categories of personal data processed
Data categoryDescriptionTypical data subjects
Account & identityName, business email, phone, job title, authentication logs, role assignmentsCustomer employees, contractors, and authorized platform users
Shipment party dataConsignee and shipper names, addresses, contact numbers, tax or customs identifiersCustomer's customers, suppliers, consignees, and logistics partners
Operational logistics dataDriver names, vehicle identifiers, delivery instructions, proof-of-delivery signatures, warehouse contact detailsDrivers, warehouse staff, and field personnel involved in Customer shipments
Commercial & billingInvoice contacts, payment approvers, purchase order references within Customer tenantCustomer finance and operations personnel
CommunicationsSupport tickets, in-app messages, notification delivery metadataUsers interacting with Customer support or platform notifications
Technical metadataIP addresses, device identifiers, API access logs tied to identifiable usersUsers accessing app.orbexdata.com or Customer-issued API credentials

Processing operations include collection, storage, organization, retrieval, use, disclosure by transmission, alignment, restriction, erasure, and destruction as necessary to provide the Services and maintain security.

Security Measures

Orbex Data implements technical and organizational measures appropriate to the risk, including those described in Annex II (Security Measures Summary) incorporated by reference. Measures are subject to periodic review and improvement.

  • Encryption of Personal Data in transit and at rest for production systems.
  • Logical access controls, MFA for administrative access, and least-privilege policies.
  • Tenant isolation, vulnerability management, and logging of administrative actions.
  • Business continuity and disaster recovery procedures with regular backup testing.
  • Personnel screening and confidentiality obligations for staff with data access.
  • Incident detection, response, and customer notification procedures aligned with Section 9 of this DPA.

Customer is responsible for configuring user permissions, enabling available security features, maintaining credential confidentiality, and implementing internal policies governing access to shipment and contact data within its organization.

Upon reasonable request and subject to confidentiality, Orbex Data may provide additional security documentation to assist Customer with compliance assessments.

Sub-processors

Customer provides general authorization for Orbex Data to engage Sub-processors to support delivery of the Services. Orbex Data will impose data protection obligations on Sub-processors substantially similar to those in this DPA and remain responsible for Sub-processor performance of processing obligations.

Orbex Data will maintain an up-to-date list of Sub-processors and notify Customer of intended additions or replacements via email to the account administrator or through a designated notice page at least fifteen (15) days before the change takes effect. Customer may object on reasonable grounds relating to data protection within ten (10) days of notice.

Authorized sub-processors (representative list)
Sub-processorProcessing activityLocationSafeguards
Amazon Web Services, Inc.Cloud hosting, database, object storage, and networking infrastructureUnited States, EU regions as configuredDPA, SCCs where applicable, ISO 27001-aligned controls
Google Cloud Platform (Google LLC)Secondary hosting, analytics infrastructure, and email delivery servicesUnited States, EU regions as configuredDPA, SCCs where applicable
Stripe, Inc.Payment processing and billing metadataUnited StatesPCI-DSS, DPA, SCCs where applicable
SendGrid / Twilio Inc.Transactional email and notification deliveryUnited StatesDPA, SCCs where applicable
Datadog, Inc.Application performance monitoring and security loggingUnited States, EUDPA, SCCs where applicable
Intercom, Inc.Customer support messaging on marketing and help channelsUnited States, EUDPA, SCCs where applicable
Snowflake Inc.Analytical warehousing of aggregated operational metricsUnited States, EU as configuredDPA, SCCs where applicable

The authoritative Sub-processor list may be updated periodically. Enterprise customers may subscribe to change notifications or request the current list at hello@orbexdata.com.

International Transfers

Customer acknowledges that Orbex Data and its Sub-processors may transfer and process Personal Data globally. Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties will implement appropriate safeguards.

Module Two (Controller to Processor) and, where applicable, Module Three (Processor to Processor) of the EU Standard Contractual Clauses (2021/914) are incorporated by reference and completed as follows: Customer is the data exporter and Orbex Data is the data importer; the optional docking clause applies for additional controllers; technical and organizational measures are described in Annex II; Sub-processors are listed in Annex III or the Sub-processor table above.

  • For UK transfers, the UK International Data Transfer Addendum applies to the SCCs.
  • For Swiss transfers, the SCCs apply with modifications required by Swiss FDPIC guidance.
  • Customer may select EU data residency where available under its subscription tier.
  • Orbex Data will assist Customer with transfer impact assessments upon reasonable request.

Data Subject Rights

Orbex Data will assist Customer in fulfilling Data Subjects' rights under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection, by providing appropriate technical and organizational measures within the Services where feasible.

If Orbex Data receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, it will promptly redirect the request to Customer unless legally prohibited. Customer is responsible for responding to Data Subjects and determining the appropriate action.

  • Self-service export and deletion tools may be available within Customer's tenant for certain data types.
  • Orbex Data will respond to Customer's verified instructions within commercially reasonable timeframes and in accordance with applicable law.
  • Reasonable fees may apply for repetitive, excessive, or manifestly unfounded assistance requests unless prohibited by law.
  • Both parties will cooperate with Supervisory Authorities as required by Data Protection Laws.

Breach Notification

Orbex Data will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent known, the nature of the breach, categories and approximate number of Data Subjects concerned, likely consequences, and measures taken or proposed to address the breach.

Orbex Data will provide reasonable cooperation and information necessary for Customer to meet its regulatory notification obligations. Orbex Data's notification of a breach is not an admission of fault or liability.

  • Initial notice may be provided when details are still being investigated, followed by updates as information becomes available.
  • Customer must maintain accurate administrator contact details for security notifications.
  • Orbex Data will document incidents and remedial actions in accordance with its incident response policy.
  • Parties will coordinate public communications where a breach requires joint messaging, unless legally required to act independently.

Deletion & Return

Upon termination or expiration of the Services, Customer may export Customer Data, including Personal Data, using available export functionality for thirty (30) days unless a different period is specified in the order form. After the export period, Orbex Data will delete Personal Data processed on behalf of Customer within ninety (90) days, except where retention is required by law or permitted under backup retention schedules.

Customer may request earlier deletion of specific datasets through account settings or by submitting a written request to hello@orbexdata.com. Deletion from live systems may not immediately purge copies in encrypted backups; backup media are cycled according to documented retention schedules.

  • Orbex Data will certify deletion upon Customer's reasonable written request where commercially practicable.
  • Legal hold or regulatory preservation requirements supersede deletion requests where applicable.
  • Aggregated or de-identified data not identifying individuals may be retained for analytics and service improvement.
  • Sub-processors are contractually required to delete or return Personal Data in alignment with this section.

Audit, Liability & Contact

Orbex Data will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by Customer or a mutually agreed independent auditor, subject to reasonable notice, confidentiality, and no more than once annually unless required by a Supervisory Authority or following a material security incident.

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service, except that limitations may not apply to breaches of data protection obligations where prohibited by applicable law.

Contact for DPA matters

  • General inquiries: hello@orbexdata.com
  • Website: https://orbexdata.com
  • Application: https://app.orbexdata.com
  • Postal address: Orbex Data, F#08 st 10, RusseyKeo, Phnom Penh, Cambodia

Orbex Data may update this DPA to reflect changes in Data Protection Laws or Service capabilities. Material changes will be notified to Customer with at least thirty (30) days' notice where required. Continued use of the Services after the effective date of an updated DPA constitutes acceptance unless Customer terminates in accordance with the Terms.

Enterprise customers requiring a countersigned DPA or custom SCC appendices may contact hello@orbexdata.com during procurement.

Questions about this policy? Contact us at hello@orbexdata.com.

Orbex Data · F#08 st 10, RusseyKeo, Phnom Penh, Cambodia

Trust & security on About →